Analysis
-
max time kernel
92s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 00:56 UTC
Behavioral task
behavioral1
Sample
eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe
-
Size
217KB
-
MD5
eec4b4c99ef12c3af34dbceb9bba0bd3
-
SHA1
5cdb384dc1b13b32fccb078093b8e7ea25c68053
-
SHA256
980d2ecca216194eb70a3cb502f039589f9a0c2b4fb37392c19144527423ea55
-
SHA512
92b3947cf1296b7fa9a899c4552ac74c406adda9df174155169f957e1c10a68c49dc856edb95ef25de1ea2e3bfa828f5e121415e3f1cb3587e49f89e9d55226b
-
SSDEEP
6144:OQVHddxtFrchQzcp63BkJhysb6PAE30aT:t59tFrcagQMynB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Program Files\\Common Files\\Boot\\svhost.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Program Files\\Common Files\\Boot\\svhost.exe" reg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys reg.exe -
resource yara_rule behavioral2/memory/2280-0-0x0000000000400000-0x0000000000D57000-memory.dmp upx -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 940 cmd.exe 4944 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Boot\svhost.exe attrib.exe File opened for modification C:\Program Files\Common Files\Boot attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4832 reg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2608 cmd.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2280 wrote to memory of 220 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 82 PID 2280 wrote to memory of 220 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 82 PID 2280 wrote to memory of 220 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 82 PID 2280 wrote to memory of 5056 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 84 PID 2280 wrote to memory of 5056 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 84 PID 2280 wrote to memory of 5056 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 84 PID 2280 wrote to memory of 4560 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 86 PID 2280 wrote to memory of 4560 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 86 PID 2280 wrote to memory of 4560 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 86 PID 2280 wrote to memory of 2840 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 88 PID 2280 wrote to memory of 2840 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 88 PID 2280 wrote to memory of 2840 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 88 PID 220 wrote to memory of 2656 220 cmd.exe 89 PID 220 wrote to memory of 2656 220 cmd.exe 89 PID 220 wrote to memory of 2656 220 cmd.exe 89 PID 2280 wrote to memory of 3188 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 91 PID 2280 wrote to memory of 3188 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 91 PID 2280 wrote to memory of 3188 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 91 PID 2656 wrote to memory of 2608 2656 cmd.exe 92 PID 2656 wrote to memory of 2608 2656 cmd.exe 92 PID 2656 wrote to memory of 2608 2656 cmd.exe 92 PID 2280 wrote to memory of 2568 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 93 PID 2280 wrote to memory of 2568 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 93 PID 2280 wrote to memory of 2568 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 93 PID 4560 wrote to memory of 5004 4560 cmd.exe 94 PID 4560 wrote to memory of 5004 4560 cmd.exe 94 PID 4560 wrote to memory of 5004 4560 cmd.exe 94 PID 2280 wrote to memory of 940 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 97 PID 2280 wrote to memory of 940 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 97 PID 2280 wrote to memory of 940 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 97 PID 5056 wrote to memory of 392 5056 cmd.exe 99 PID 5056 wrote to memory of 392 5056 cmd.exe 99 PID 5056 wrote to memory of 392 5056 cmd.exe 99 PID 2280 wrote to memory of 4944 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 100 PID 2280 wrote to memory of 4944 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 100 PID 2280 wrote to memory of 4944 2280 eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe 100 PID 2568 wrote to memory of 1648 2568 cmd.exe 102 PID 2568 wrote to memory of 1648 2568 cmd.exe 102 PID 2568 wrote to memory of 1648 2568 cmd.exe 102 PID 3188 wrote to memory of 1692 3188 cmd.exe 103 PID 3188 wrote to memory of 1692 3188 cmd.exe 103 PID 3188 wrote to memory of 1692 3188 cmd.exe 103 PID 2840 wrote to memory of 4832 2840 cmd.exe 104 PID 2840 wrote to memory of 4832 2840 cmd.exe 104 PID 2840 wrote to memory of 4832 2840 cmd.exe 104 PID 940 wrote to memory of 4892 940 cmd.exe 105 PID 940 wrote to memory of 4892 940 cmd.exe 105 PID 940 wrote to memory of 4892 940 cmd.exe 105 PID 4944 wrote to memory of 744 4944 cmd.exe 106 PID 4944 wrote to memory of 744 4944 cmd.exe 106 PID 4944 wrote to memory of 744 4944 cmd.exe 106 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 744 attrib.exe 4892 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\cmd.execmd /c cmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\eec4b4c99ef12c3af34dbceb9bba0bd3_JaffaCakes118.exe" "C:\Program Files\Common Files\Boot\svhost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:2608
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\reg.exereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:392
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\reg.exereg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "C:\Program Files\Common Files\Boot\svhost.exe" /f3⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:5004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4832
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d "1" /f3⤵
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /f3⤵
- Impair Defenses: Safe Mode Boot
- System Location Discovery: System Language Discovery
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Boot\svhost.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Program Files\Common Files\Boot\svhost.exe"3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\Boot"2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Program Files\Common Files\Boot"3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:744
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request77.190.18.2.in-addr.arpaIN PTRResponse77.190.18.2.in-addr.arpaIN PTRa2-18-190-77deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
77.190.18.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa